Merge pull request #11070 from nipun-crestdatasystem/InfobloxASIMParsers

ASIM Parsers for Infoblox

ASIM/dev/ASimTester/ASimTester.csv

@@ -548,11 +548,11 @@ EventOwner,string,Optional,RegistryEvent,,,
 EventOwner,string,Optional,UserManagement,,,
 EventOwner,string,Optional,WebSession,,,
 EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost|Carbon Black Cloud|Cortex Data Lake|Workspace,
-EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud,
+EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud|BloxOne,
 EventProduct,string,Mandatory,Common,,,
-EventProduct,string,Mandatory,DhcpEvent,,,
+EventProduct,string,Mandatory,DhcpEvent,,BloxOne,
 EventProduct,string,Mandatory,FileEvent,Enumerated,Security Events|Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne|Carbon Black Cloud|Workspace,
-EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne|FortiGate,
+EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne|FortiGate|BloxOne,
 EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|FalconHost|Carbon Black Cloud|Cortex Data Lake,
 EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne|Carbon Black Cloud|Vision One,
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud|Vision One,
@@ -678,9 +678,9 @@ EventUid,string,Recommended,RegistryEvent,,,
 EventUid,string,Recommended,UserManagement,,,
 EventUid,string,Recommended,WebSession,,,
 EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne|CrowdStrike|VMware|Google,
-EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra|CrowdStrike|SentinelOne|VMware,
+EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra|CrowdStrike|SentinelOne|VMware|Infoblox,
 EventVendor,string,Mandatory,Common,,,
-EventVendor,string,Mandatory,DhcpEvent,,,
+EventVendor,string,Mandatory,DhcpEvent,,Infoblox,
 EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne|VMware|Google,
 EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne|Fortinet,
 EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike|VMware|SonicWall,

Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml

@@ -32,6 +32,7 @@ Parsers:
   - _ASim_AuditEvent_VectraXDRAudit
   - _ASim_AuditEvent_SentinelOne
   - _ASim_AuditEvent_VMwareCarbonBlackCloud
+  - _ASim_AuditEvent_InfobloxBloxOne
 ParserParams:
   - Name: pack
     Type: bool
@@ -54,5 +55,6 @@ ParserQuery: |
     ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),
     ASimAuditEventSentinelOne  (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),
     ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),
-    ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))
+    ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))),
+    ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers)))
 

Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml

@@ -0,0 +1,143 @@
+Parser:
+  Title: AuditEvent ASIM parser for Infoblox BloxOne
+  Version: '0.1.0'
+  LastUpdated: Sep 11, 2024
+Product:
+  Name: Infoblox BloxOne
+Normalization:
+  Schema: AuditEvent
+  Version: '0.1'
+References:
+- Title: ASIM AuditEvent Schema
+  Link: https://aka.ms/ASimAuditEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: Infoblox BloxOne Documentation
+- Link: https://docs.infoblox.com/space/BloxOneThreatDefense/35406922/DNS+Query%2FResponse+Log+Message+Mapping
+Description: |
+  This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne.
+ParserName: ASimAuditEventInfobloxBloxOne
+EquivalentBuiltInParser: _ASim_AuditEvent_InfobloxBloxOne
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: 
+  let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string)
+      [
+      "0", "Low",
+      "1", "Low",
+      "2", "Low",
+      "3", "Low",
+      "4", "Medium",
+      "5", "Medium",
+      "6", "Medium",
+      "7", "High",
+      "8", "High",
+      "9", "High",
+      "10", "High"
+  ];
+  let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string)
+  [
+    "CreateSecurityPolicy", "Security Policy", "Policy Role",
+    "UpdateSecurityPolicy", "Security Policy", "Policy",
+    "Create", "Network Resource", "Service",
+    "Update", "Network Resource", "Service",
+    "Restore", "Infoblox Resource", "Service",
+    "CreateOrGetDoHFQDN", "DOHFQDN", "Service",
+    "CreateOrUpdateDfpService", "Dfp Service", "Service",
+    "MoveToRecyclebin", "Recyclebin", "Other",
+    "CreateCategoryFilter", "Category Filter", "Other",
+    "GetLookalikeThreatCounts", "Lookalike Threat Counts", "Other",
+    "GetLookalikeDomainCounts", "Lookalike Domain Counts", "Other",
+    "CreateRoamingDeviceGroup", "Roaming Device Group", "Configuration Atom",
+    "UpdatePartialRoamingDeviceGroup", "Partial Roaming Device Group", "Configuration Atom"
+  ];
+  let parser = (disabled:bool=false) {
+      CommonSecurityLog
+      | where not(disabled)
+          and DeviceVendor == "Infoblox"
+          and DeviceEventClassID has "AUDIT"
+      | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=";", kv_delimiter="=")
+      | lookup EventSeverityLookup on LogSeverity
+      | lookup OperationLookup on DeviceAction
+      | invoke _ASIM_ResolveDvcFQDN('CollectorHostName')
+      | project-rename
+          EventResult = EventOutcome,
+          Operation = DeviceAction,
+          ActorUsername = SourceUserName,
+          SrcIpAddr = SourceIP,
+          EventOriginalSeverity = LogSeverity,
+          EventMessage = Message,
+          EventOriginalType = DeviceEventClassID,
+          EventUid = _ItemId
+      | extend
+          Dvc = DvcHostname,
+          EventEndTime = TimeGenerated,
+          EventStartTime = TimeGenerated,
+          EventType = case(
+                  Operation has_any ("update", "upsert"),
+                  "Set", 
+                  Operation has "create",
+                  "Create",
+                  Operation has "delete",
+                  "Delete",
+                  "Other"
+              ),
+          Object = iff(isempty(Object), "Infoblox Network Resource", Object),
+          ObjectType = iff(isempty(ObjectType), "Service", ObjectType),
+          Src = SrcIpAddr,
+          ActorUserType = _ASIM_GetUserType(ActorUsername, ""),
+          AdditionalFields = bag_pack(
+                        "InfobloxHTTPReqBody",
+                        InfobloxHTTPReqBody,
+                        "InfobloxHTTPRespBody",
+                        InfobloxHTTPRespBody
+                    ),
+          User = ActorUsername,
+          IpAddr = SrcIpAddr,
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)
+      | extend
+          EventCount = toint(1),
+          EventProduct = "BloxOne",
+          EventVendor = "Infoblox",
+          EventSchema = "AuditEvent",
+          EventSchemaVersion = "0.1"
+      | project-away
+          Source*,
+          Destination*,
+          Device*,
+          AdditionalExtensions,
+          CommunicationDirection,
+          Protocol,
+          SimplifiedDeviceAction,
+          ExternalID,
+          EndTime,
+          FieldDevice*,
+          Flex*,
+          File*,
+          Old*,
+          MaliciousIP*,
+          OriginalLogSeverity,
+          Process*,
+          ReceivedBytes,
+          SentBytes,
+          Remote*,
+          Request*,
+          StartTime,
+          TenantId,
+          ReportReferenceLink,
+          ReceiptTime,
+          Indicator*,
+          _ResourceId,
+          ThreatConfidence,
+          ThreatDescription,
+          ThreatSeverity,
+          Computer,
+          ApplicationProtocol,
+          ExtID,
+          Reason,
+          Activity,
+          Infoblox*
+  };
+  parser(disabled=disabled)

Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml

@@ -32,6 +32,7 @@ Parsers:
   - _Im_AuditEvent_VectraXDRAudit
   - _Im_AuditEvent_SentinelOne
   - _Im_AuditEvent_VMwareCarbonBlackCloud
+  - _Im_AuditEvent_InfobloxBloxOne
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -85,5 +86,6 @@ ParserQuery: |
       vimAuditEventVectraXDRAudit (starttime=starttime, endtime=endtime, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVectraXDRAudit' in (DisabledParsers)))),
       vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))),
       vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))),
-      vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))))
+      vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))),
+      vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers))))
 

Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml

@@ -0,0 +1,179 @@
+Parser:
+  Title: AuditEvent ASIM parser for Infoblox BloxOne
+  Version: '0.1.0'
+  LastUpdated: Sep 11, 2024
+Product:
+  Name: Infoblox BloxOne
+Normalization:
+  Schema: AuditEvent
+  Version: '0.1'
+References:
+- Title: ASIM AuditEvent Schema
+  Link: https://aka.ms/ASimAuditEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: Infoblox BloxOne Documentation
+  Link: https://docs.infoblox.com/space/BloxOneThreatDefense
+Description: |
+  This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne.
+ParserName: vimAuditEventInfbloxBloxOne
+EquivalentBuiltInParser: _Im_AuditEvent_InfobloxBloxOne
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: srcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: operation_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventtype_in
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventresult
+    Type: string
+    Default: '*'
+  - Name: actorusername_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: object_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: newvalue_has_any
+    Type: dynamic
+    Default: dynamic([])
+ParserQuery: |
+  let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string)
+      [
+      "0", "Low",
+      "1", "Low",
+      "2", "Low",
+      "3", "Low",
+      "4", "Medium",
+      "5", "Medium",
+      "6", "Medium",
+      "7", "High",
+      "8", "High",
+      "9", "High",
+      "10", "High"
+  ];
+  let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string)
+  [
+    "CreateSecurityPolicy", "Security Policy", "Policy Role",
+    "UpdateSecurityPolicy", "Security Policy", "Policy",
+    "Create", "Network Resource", "Service",
+    "Update", "Network Resource", "Service",
+    "Restore", "Infoblox Resource", "Service",
+    "CreateOrGetDoHFQDN", "DOHFQDN", "Service",
+    "CreateOrUpdateDfpService", "Dfp Service", "Service",
+    "MoveToRecyclebin", "Recyclebin", "Other",
+    "CreateCategoryFilter", "Category Filter", "Other",
+    "GetLookalikeThreatCounts", "Lookalike Threat Counts", "Other",
+    "GetLookalikeDomainCounts", "Lookalike Domain Counts", "Other",
+    "CreateRoamingDeviceGroup", "Roaming Device Group", "Configuration Atom",
+    "UpdatePartialRoamingDeviceGroup", "Partial Roaming Device Group", "Configuration Atom"
+  ];
+  let parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {
+      CommonSecurityLog
+      | where not(disabled) 
+          and (isnull(starttime) or TimeGenerated >= starttime) 
+          and (isnull(endtime) or TimeGenerated <= endtime) 
+          and DeviceVendor == "Infoblox"
+          and DeviceEventClassID has "AUDIT"
+          and (eventresult == "*" or EventOutcome =~ eventresult)
+          and (array_length(operation_has_any) == 0 or DeviceAction has_any (operation_has_any))
+          and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))
+          and (array_length(actorusername_has_any) == 0 or SourceUserName has_any (actorusername_has_any))
+          and array_length(newvalue_has_any) == 0
+      | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=";", kv_delimiter="=")
+      | extend EventType = case(
+                  DeviceAction has_any ("update", "upsert"),
+                  "Set", 
+                  DeviceAction has "create",
+                  "Create",
+                  DeviceAction has "delete",
+                  "Delete",
+                  "Other"
+              )
+      | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))
+      | lookup EventSeverityLookup on LogSeverity
+      | lookup OperationLookup on DeviceAction
+      | extend Object = iff(isempty(Object), "Infoblox Network Resource", Object),
+        ObjectType = iff(isempty(ObjectType), "Service", ObjectType)
+      | where (array_length(object_has_any) == 0 or Object has_any (object_has_any))
+      | invoke _ASIM_ResolveDvcFQDN('CollectorHostName')
+      | project-rename
+          EventResult = EventOutcome,
+          Operation = DeviceAction,
+          ActorUsername = SourceUserName,
+          SrcIpAddr = SourceIP,
+          EventOriginalSeverity = LogSeverity,
+          EventMessage = Message,
+          EventOriginalType = DeviceEventClassID,
+          EventUid = _ItemId
+      | extend
+          Dvc = DvcHostname,
+          EventEndTime = TimeGenerated,
+          EventStartTime = TimeGenerated,
+          Src = SrcIpAddr,
+          ActorUserType = _ASIM_GetUserType(ActorUsername, ""),
+          AdditionalFields = bag_pack(
+                        "InfobloxHTTPReqBody",
+                        InfobloxHTTPReqBody,
+                        "InfobloxHTTPRespBody",
+                        InfobloxHTTPRespBody
+                    ),
+          User = ActorUsername,
+          IpAddr = SrcIpAddr,
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)
+      | extend
+          EventCount = toint(1),
+          EventProduct = "BloxOne",
+          EventVendor = "Infoblox",
+          EventSchema = "AuditEvent",
+          EventSchemaVersion = "0.1"
+      | project-away
+          Source*,
+          Destination*,
+          Device*,
+          AdditionalExtensions,
+          CommunicationDirection,
+          Protocol,
+          SimplifiedDeviceAction,
+          ExternalID,
+          EndTime,
+          FieldDevice*,
+          Flex*,
+          File*,
+          Old*,
+          MaliciousIP*,
+          OriginalLogSeverity,
+          Process*,
+          ReceivedBytes,
+          SentBytes,
+          Remote*,
+          Request*,
+          StartTime,
+          TenantId,
+          ReportReferenceLink,
+          ReceiptTime,
+          Indicator*,
+          _ResourceId,
+          ThreatConfidence,
+          ThreatDescription,
+          ThreatSeverity,
+          Computer,
+          ApplicationProtocol,
+          ExtID,
+          Reason,
+          Activity,
+          Infoblox*
+  };
+  parser(disabled=disabled,  starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)

Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimDataTester.csv

@@ -0,0 +1,6 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 36 records (100.0%) for field [EventProduct] of type [Enumerated]: [""BloxOne""] (Schema:AuditEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 36 records (100.0%) for field [EventVendor] of type [Enumerated]: [""Infoblox""] (Schema:AuditEvent)"
+"(2) Info: Empty value in 36 records (100.0%)  in optional field [DvcFQDN] (Schema:AuditEvent)"
+"(2) Info: Empty value in 36 records (100.0%)  in recommended field [DvcDomain] (Schema:AuditEvent)"
+"(2) Info: Empty value in 4 records (11.11%)  in optional field [EventMessage] (Schema:AuditEvent)"

Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimSchemaTester.csv

@@ -0,0 +1,94 @@
+Result
+"(1) Warning: Missing recommended field [Dst]"
+"(1) Warning: Missing recommended field [DvcAction]"
+"(1) Warning: Missing recommended field [DvcIpAddr]"
+"(1) Warning: Missing recommended field [EventResultDetails]"
+"(1) Warning: Missing recommended field [NewValue]"
+"(1) Warning: Missing recommended field [ObjectId]"
+"(1) Warning: Missing recommended field [TargetHostname]"
+"(1) Warning: Missing recommended field [TargetIpAddr]"
+"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]"
+"(2) Info: Missing optional alias [Process] aliasing non-existent column [ActingProcessName]"
+"(2) Info: Missing optional field [ActingAppId]"
+"(2) Info: Missing optional field [ActingAppName]"
+"(2) Info: Missing optional field [ActingAppType]"
+"(2) Info: Missing optional field [ActingOriginalAppType]"
+"(2) Info: Missing optional field [ActorOriginalUserType]"
+"(2) Info: Missing optional field [ActorScopeId]"
+"(2) Info: Missing optional field [ActorScope]"
+"(2) Info: Missing optional field [ActorSessionId]"
+"(2) Info: Missing optional field [ActorUserAadId]"
+"(2) Info: Missing optional field [ActorUserId]"
+"(2) Info: Missing optional field [ActorUserSid]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcId]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOriginalAction]"
+"(2) Info: Missing optional field [DvcOsVersion]"
+"(2) Info: Missing optional field [DvcOs]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcScope]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventOriginalUid]"
+"(2) Info: Missing optional field [EventOwner]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [HttpUserAgent]"
+"(2) Info: Missing optional field [OldValue]"
+"(2) Info: Missing optional field [OriginalObjectType]"
+"(2) Info: Missing optional field [RuleName]"
+"(2) Info: Missing optional field [RuleNumber]"
+"(2) Info: Missing optional field [Rule]"
+"(2) Info: Missing optional field [SrcDescription]"
+"(2) Info: Missing optional field [SrcDeviceType]"
+"(2) Info: Missing optional field [SrcDomain]"
+"(2) Info: Missing optional field [SrcDvcId]"
+"(2) Info: Missing optional field [SrcDvcScopeId]"
+"(2) Info: Missing optional field [SrcDvcScope]"
+"(2) Info: Missing optional field [SrcFQDN]"
+"(2) Info: Missing optional field [SrcGeoCity]"
+"(2) Info: Missing optional field [SrcGeoCountry]"
+"(2) Info: Missing optional field [SrcGeoLatitude]"
+"(2) Info: Missing optional field [SrcGeoLongitude]"
+"(2) Info: Missing optional field [SrcGeoRegion]"
+"(2) Info: Missing optional field [SrcHostname]"
+"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
+"(2) Info: Missing optional field [SrcPortNumber]"
+"(2) Info: Missing optional field [SrcRiskLevel]"
+"(2) Info: Missing optional field [TargetAppId]"
+"(2) Info: Missing optional field [TargetAppName]"
+"(2) Info: Missing optional field [TargetDescription]"
+"(2) Info: Missing optional field [TargetDeviceType]"
+"(2) Info: Missing optional field [TargetDomain]"
+"(2) Info: Missing optional field [TargetDvcId]"
+"(2) Info: Missing optional field [TargetDvcOs]"
+"(2) Info: Missing optional field [TargetDvcScopeId]"
+"(2) Info: Missing optional field [TargetDvcScope]"
+"(2) Info: Missing optional field [TargetFQDN]"
+"(2) Info: Missing optional field [TargetGeoCity]"
+"(2) Info: Missing optional field [TargetGeoCountry]"
+"(2) Info: Missing optional field [TargetGeoLatitude]"
+"(2) Info: Missing optional field [TargetGeoLongitude]"
+"(2) Info: Missing optional field [TargetGeoRegion]"
+"(2) Info: Missing optional field [TargetOriginalAppType]"
+"(2) Info: Missing optional field [TargetOriginalRiskLevel]"
+"(2) Info: Missing optional field [TargetPortNumber]"
+"(2) Info: Missing optional field [TargetRiskLevel]"
+"(2) Info: Missing optional field [TargetUrl]"
+"(2) Info: Missing optional field [ThreatCategory]"
+"(2) Info: Missing optional field [ThreatConfidence]"
+"(2) Info: Missing optional field [ThreatFirstReportedTime]"
+"(2) Info: Missing optional field [ThreatId]"
+"(2) Info: Missing optional field [ThreatIpAddr]"
+"(2) Info: Missing optional field [ThreatIsActive]"
+"(2) Info: Missing optional field [ThreatLastReportedTime]"
+"(2) Info: Missing optional field [ThreatName]"
+"(2) Info: Missing optional field [ThreatOriginalConfidence]"
+"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
+"(2) Info: Missing optional field [ThreatRiskLevel]"
+"(2) Info: Missing optional field [ValueType]"
+"(2) Info: Missing recommended alias [Value] aliasing non-existent column [NewValue]"

Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimDataTester.csv

@@ -0,0 +1,6 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 36 records (100.0%) for field [EventProduct] of type [Enumerated]: [""BloxOne""] (Schema:AuditEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 36 records (100.0%) for field [EventVendor] of type [Enumerated]: [""Infoblox""] (Schema:AuditEvent)"
+"(2) Info: Empty value in 36 records (100.0%)  in optional field [DvcFQDN] (Schema:AuditEvent)"
+"(2) Info: Empty value in 36 records (100.0%)  in recommended field [DvcDomain] (Schema:AuditEvent)"
+"(2) Info: Empty value in 4 records (11.11%)  in optional field [EventMessage] (Schema:AuditEvent)"

Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimSchemaTester.csv

@@ -0,0 +1,94 @@
+Result
+"(1) Warning: Missing recommended field [Dst]"
+"(1) Warning: Missing recommended field [DvcAction]"
+"(1) Warning: Missing recommended field [DvcIpAddr]"
+"(1) Warning: Missing recommended field [EventResultDetails]"
+"(1) Warning: Missing recommended field [NewValue]"
+"(1) Warning: Missing recommended field [ObjectId]"
+"(1) Warning: Missing recommended field [TargetHostname]"
+"(1) Warning: Missing recommended field [TargetIpAddr]"
+"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]"
+"(2) Info: Missing optional alias [Process] aliasing non-existent column [ActingProcessName]"
+"(2) Info: Missing optional field [ActingAppId]"
+"(2) Info: Missing optional field [ActingAppName]"
+"(2) Info: Missing optional field [ActingAppType]"
+"(2) Info: Missing optional field [ActingOriginalAppType]"
+"(2) Info: Missing optional field [ActorOriginalUserType]"
+"(2) Info: Missing optional field [ActorScopeId]"
+"(2) Info: Missing optional field [ActorScope]"
+"(2) Info: Missing optional field [ActorSessionId]"
+"(2) Info: Missing optional field [ActorUserAadId]"
+"(2) Info: Missing optional field [ActorUserId]"
+"(2) Info: Missing optional field [ActorUserSid]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcId]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOriginalAction]"
+"(2) Info: Missing optional field [DvcOsVersion]"
+"(2) Info: Missing optional field [DvcOs]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcScope]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventOriginalUid]"
+"(2) Info: Missing optional field [EventOwner]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [HttpUserAgent]"
+"(2) Info: Missing optional field [OldValue]"
+"(2) Info: Missing optional field [OriginalObjectType]"
+"(2) Info: Missing optional field [RuleName]"
+"(2) Info: Missing optional field [RuleNumber]"
+"(2) Info: Missing optional field [Rule]"
+"(2) Info: Missing optional field [SrcDescription]"
+"(2) Info: Missing optional field [SrcDeviceType]"
+"(2) Info: Missing optional field [SrcDomain]"
+"(2) Info: Missing optional field [SrcDvcId]"
+"(2) Info: Missing optional field [SrcDvcScopeId]"
+"(2) Info: Missing optional field [SrcDvcScope]"
+"(2) Info: Missing optional field [SrcFQDN]"
+"(2) Info: Missing optional field [SrcGeoCity]"
+"(2) Info: Missing optional field [SrcGeoCountry]"
+"(2) Info: Missing optional field [SrcGeoLatitude]"
+"(2) Info: Missing optional field [SrcGeoLongitude]"
+"(2) Info: Missing optional field [SrcGeoRegion]"
+"(2) Info: Missing optional field [SrcHostname]"
+"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
+"(2) Info: Missing optional field [SrcPortNumber]"
+"(2) Info: Missing optional field [SrcRiskLevel]"
+"(2) Info: Missing optional field [TargetAppId]"
+"(2) Info: Missing optional field [TargetAppName]"
+"(2) Info: Missing optional field [TargetDescription]"
+"(2) Info: Missing optional field [TargetDeviceType]"
+"(2) Info: Missing optional field [TargetDomain]"
+"(2) Info: Missing optional field [TargetDvcId]"
+"(2) Info: Missing optional field [TargetDvcOs]"
+"(2) Info: Missing optional field [TargetDvcScopeId]"
+"(2) Info: Missing optional field [TargetDvcScope]"
+"(2) Info: Missing optional field [TargetFQDN]"
+"(2) Info: Missing optional field [TargetGeoCity]"
+"(2) Info: Missing optional field [TargetGeoCountry]"
+"(2) Info: Missing optional field [TargetGeoLatitude]"
+"(2) Info: Missing optional field [TargetGeoLongitude]"
+"(2) Info: Missing optional field [TargetGeoRegion]"
+"(2) Info: Missing optional field [TargetOriginalAppType]"
+"(2) Info: Missing optional field [TargetOriginalRiskLevel]"
+"(2) Info: Missing optional field [TargetPortNumber]"
+"(2) Info: Missing optional field [TargetRiskLevel]"
+"(2) Info: Missing optional field [TargetUrl]"
+"(2) Info: Missing optional field [ThreatCategory]"
+"(2) Info: Missing optional field [ThreatConfidence]"
+"(2) Info: Missing optional field [ThreatFirstReportedTime]"
+"(2) Info: Missing optional field [ThreatId]"
+"(2) Info: Missing optional field [ThreatIpAddr]"
+"(2) Info: Missing optional field [ThreatIsActive]"
+"(2) Info: Missing optional field [ThreatLastReportedTime]"
+"(2) Info: Missing optional field [ThreatName]"
+"(2) Info: Missing optional field [ThreatOriginalConfidence]"
+"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
+"(2) Info: Missing optional field [ThreatRiskLevel]"
+"(2) Info: Missing optional field [ValueType]"
+"(2) Info: Missing recommended alias [Value] aliasing non-existent column [NewValue]"

Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml

@@ -22,7 +22,8 @@ ParserQuery: |
   let parser=(pack:bool=false){
   union isfuzzy=true
     vimDhcpEventEmpty,
-    ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers))))
+    ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers)))),
+    ASimDhcpEventInfobloxBloxOne (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpInfobloxBloxOne' in (DisabledParsers))))
   }; 
   parser (pack=pack)
 ParserParams:
@@ -32,3 +33,4 @@ ParserParams:
 Parsers:
   - _Im_DhcpEvent_Empty
   - _ASim_DhcpEvent_Native
+  - _ASim_DhcpEvent_InfobloxBloxOne

Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml

@@ -0,0 +1,135 @@
+Parser:
+  Title: DhcpEvent ASIM parser for Infoblox BloxOne
+  Version: '0.1.0'
+  LastUpdated: Sep 11, 2024
+Product:
+  Name: Infoblox BloxOne
+Normalization:
+  Schema: DhcpEvent
+  Version: '0.1'
+References:
+- Title: ASIM DhcpEvent Schema
+  Link: https://aka.ms/ASimDhcpEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: Infoblox BloxOne Documentation
+  Link: https://docs.infoblox.com/space/BloxOneThreatDefense
+Description: |
+  This ASIM parser supports normalizing Dhcp logs from Infoblox BloxOne to the ASIM DhcpEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne.
+ParserName: ASimDhcpEventInfobloxBloxOne
+EquivalentBuiltInParser: _ASim_DhcpEvent_InfobloxBloxOne
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: 
+  let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string)
+      [
+      "0", "Low",
+      "1", "Low",
+      "2", "Low",
+      "3", "Low",
+      "4", "Medium",
+      "5", "Medium",
+      "6", "Medium",
+      "7", "High",
+      "8", "High",
+      "9", "High",
+      "10", "High"
+  ];
+  let parser = (disabled:bool=false) {
+      CommonSecurityLog
+      | where not(disabled)
+          and DeviceVendor == "Infoblox"
+          and DeviceEventClassID has "DHCP"
+          and ApplicationProtocol == "DHCP"
+      | parse-kv AdditionalExtensions as (InfoBloxLifeTime:int, InfoBloxClientId:string, InfobloxHost:string, InfobloxIPSpace:string, InfobloxSubnet:string, InfobloxRangeStart:string, InfobloxRangeEnd:string, InfobloxLeaseOp:string, InfobloxClientID:string, InfobloxDUID:string, InfobloxLeaseUUID:string, InfobloxFingerprintPr:string, InfobloxFingerprint:string, InfobloxDHCPOptions:string) with (pair_delimiter=";", kv_delimiter="=")
+      | lookup EventSeverityLookup on LogSeverity
+      | invoke _ASIM_ResolveSrcFQDN('SourceHostName')
+      | invoke _ASIM_ResolveDvcFQDN('InfobloxHost')
+      | project-rename
+          SrcIpAddr = SourceIP,
+          SrcMacAddr = SourceMACAddress,
+          DhcpLeaseDuration = InfoBloxLifeTime,
+          DhcpSrcDHCId = InfoBloxClientId,
+          EventOriginalSeverity = LogSeverity,
+          EventOriginalType = DeviceEventClassID,
+          EventUid = _ItemId
+      | extend
+          EventEndTime = TimeGenerated,
+          EventStartTime = TimeGenerated,
+          EventType = iff(Activity has_any ("Abandon", "Delete"), "Release", "Assign"),
+          AdditionalFields = bag_pack(
+                        "InfobloxIPSpace",
+                        InfobloxIPSpace,
+                        "InfobloxSubnet",
+                        InfobloxSubnet,
+                        "InfobloxRangeStart",
+                        InfobloxRangeStart,
+                        "InfobloxRangeEnd",
+                        InfobloxRangeEnd,
+                        "InfobloxLeaseOp",
+                        InfobloxLeaseOp,
+                        "InfobloxClientID",
+                        InfobloxClientID,
+                        "InfobloxDUID",
+                        InfobloxDUID,
+                        "InfobloxLeaseUUID",
+                        InfobloxLeaseUUID,
+                        "InfobloxFingerprintPr",
+                        InfobloxFingerprintPr,
+                        "InfobloxFingerprint",
+                        InfobloxFingerprint,
+                        "InfobloxDHCPOptions",
+                        InfobloxDHCPOptions
+                    ),
+          Duration = DhcpLeaseDuration,
+          IpAddr = SrcIpAddr
+      | extend
+          EventCount = toint(1),
+          EventProduct = "BloxOne",
+          EventVendor = "Infoblox",
+          EventResult = "Success",
+          EventSchema = "DhcpEvent",
+          EventSchemaVersion = "0.1"
+      | project-away
+          Source*,
+          Destination*,
+          Device*,
+          AdditionalExtensions,
+          CommunicationDirection,
+          EventOutcome,
+          Protocol,
+          SimplifiedDeviceAction,
+          ExternalID,
+          EndTime,
+          FieldDevice*,
+          Flex*,
+          File*,
+          Old*,
+          MaliciousIP*,
+          OriginalLogSeverity,
+          Process*,
+          ReceivedBytes,
+          SentBytes,
+          Remote*,
+          Request*,
+          StartTime,
+          TenantId,
+          ReportReferenceLink,
+          ReceiptTime,
+          Indicator*,
+          _ResourceId,
+          ThreatConfidence,
+          ThreatDescription,
+          ThreatSeverity,
+          Computer,
+          ApplicationProtocol,
+          CollectorHostName,
+          ExtID,
+          Reason,
+          Message,
+          Activity,
+          Infoblox*
+  };
+  parser(disabled=disabled)

Parsers/ASimDhcpEvent/Parsers/imDhcpEvent.yaml

@@ -55,9 +55,11 @@ ParserQuery: |
   {
   union isfuzzy=true
     vimDhcpEventEmpty,
-    vimDhcpEventNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventNative' in (DisabledParsers))))
+    vimDhcpEventNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventNative' in (DisabledParsers)))),
+    vimDhcpEventInfobloxBloxOne (starttime = starttime, endtime = endtime, srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, srchostname_has_any = srchostname_has_any, srcusername_has_any = , eventresult = eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventInfobloxBloxOne' in (DisabledParsers))))
   };
   parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, pack=pack)
 Parsers:
   - _Im_DhcpEvent_Empty
   - _Im_DhcpEvent_Native
+  - _Im_DhcpEvent_InfobloxBloxOne

Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml

@@ -0,0 +1,175 @@
+Parser:
+  Title: DhcpEvent ASIM parser for Infoblox BloxOne
+  Version: '0.1.0'
+  LastUpdated: Sep 11, 2024
+Product:
+  Name: Infoblox BloxOne
+Normalization:
+  Schema: DhcpEvent
+  Version: '0.1'
+References:
+- Title: ASIM DhcpEvent Schema
+  Link: https://aka.ms/ASimDhcpEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: Infoblox BloxOne Documentation
+  Link: https://docs.infoblox.com/space/BloxOneThreatDefense
+Description: |
+  This ASIM parser supports normalizing DhcpEvent logs from Infoblox BloxOne to the ASIM DhcpEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne.
+ParserName: vimDhcpEventInfobloxBloxOne
+EquivalentBuiltInParser: _Im_DhcpEvent_InfobloxBloxOne
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: srcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: srchostname_has_any
+    Type: dynamic 
+    Default: dynamic([])
+  - Name: srcusername_has_any
+    Type: dynamic 
+    Default: dynamic([])
+  - Name: eventresult
+    Type: string
+    Default: '*'
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string)
+      [
+      "0", "Low",
+      "1", "Low",
+      "2", "Low",
+      "3", "Low",
+      "4", "Medium",
+      "5", "Medium",
+      "6", "Medium",
+      "7", "High",
+      "8", "High",
+      "9", "High",
+      "10", "High"
+  ];
+  let parser = (
+        starttime:datetime=datetime(null), 
+        endtime:datetime=datetime(null),
+        srcipaddr_has_any_prefix:dynamic=dynamic([]),
+        srchostname_has_any:dynamic=dynamic([]),
+        srcusername_has_any:dynamic=dynamic([]),
+        eventresult:string='*',
+        disabled:bool=false
+    ) {
+      CommonSecurityLog
+      | where not(disabled)
+          and (isnull(starttime) or TimeGenerated >= starttime) 
+          and (isnull(endtime) or TimeGenerated <= endtime)
+          and DeviceVendor == "Infoblox"
+          and DeviceEventClassID has "DHCP"
+          and ApplicationProtocol == "DHCP"
+          and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))
+          and (array_length(srchostname_has_any) == 0 or (SourceHostName  has_any (srchostname_has_any)))
+          and array_length(srcusername_has_any) == 0
+          and ((eventresult == "*") or (eventresult == "Success"))
+      | parse-kv AdditionalExtensions as (InfoBloxLifeTime:int, InfoBloxClientId:string, InfobloxHost:string, InfobloxIPSpace:string, InfobloxSubnet:string, InfobloxRangeStart:string, InfobloxRangeEnd:string, InfobloxLeaseOp:string, InfobloxClientID:string, InfobloxDUID:string, InfobloxLeaseUUID:string, InfobloxFingerprintPr:string, InfobloxFingerprint:string, InfobloxDHCPOptions:string) with (pair_delimiter=";", kv_delimiter="=")
+      | lookup EventSeverityLookup on LogSeverity
+      | invoke _ASIM_ResolveSrcFQDN('SourceHostName')
+      | invoke _ASIM_ResolveDvcFQDN('InfobloxHost')
+      | project-rename
+          SrcIpAddr = SourceIP,
+          SrcMacAddr = SourceMACAddress,
+          DhcpLeaseDuration = InfoBloxLifeTime,
+          DhcpSrcDHCId = InfoBloxClientId,
+          EventOriginalSeverity = LogSeverity,
+          EventOriginalType = DeviceEventClassID,
+          EventUid = _ItemId
+      | extend
+          EventEndTime = TimeGenerated,
+          EventStartTime = TimeGenerated,
+          EventType = iff(Activity has_any ("Abandon", "Delete"), "Release", "Assign"),
+          AdditionalFields = bag_pack(
+                        "InfobloxIPSpace",
+                        InfobloxIPSpace,
+                        "InfobloxSubnet",
+                        InfobloxSubnet,
+                        "InfobloxRangeStart",
+                        InfobloxRangeStart,
+                        "InfobloxRangeEnd",
+                        InfobloxRangeEnd,
+                        "InfobloxLeaseOp",
+                        InfobloxLeaseOp,
+                        "InfobloxClientID",
+                        InfobloxClientID,
+                        "InfobloxDUID",
+                        InfobloxDUID,
+                        "InfobloxLeaseUUID",
+                        InfobloxLeaseUUID,
+                        "InfobloxFingerprintPr",
+                        InfobloxFingerprintPr,
+                        "InfobloxFingerprint",
+                        InfobloxFingerprint,
+                        "InfobloxDHCPOptions",
+                        InfobloxDHCPOptions
+                    ),
+          Duration = DhcpLeaseDuration,
+          IpAddr = SrcIpAddr
+      | extend
+          EventCount = toint(1),
+          EventProduct = "BloxOne",
+          EventVendor = "Infoblox",
+          EventResult = "Success",
+          EventSchema = "DhcpEvent",
+          EventSchemaVersion = "0.1"
+      | project-away
+          Source*,
+          Destination*,
+          Device*,
+          AdditionalExtensions,
+          CommunicationDirection,
+          EventOutcome,
+          Protocol,
+          SimplifiedDeviceAction,
+          ExternalID,
+          EndTime,
+          FieldDevice*,
+          Flex*,
+          File*,
+          Old*,
+          MaliciousIP*,
+          OriginalLogSeverity,
+          Process*,
+          ReceivedBytes,
+          SentBytes,
+          Remote*,
+          Request*,
+          StartTime,
+          TenantId,
+          ReportReferenceLink,
+          ReceiptTime,
+          Indicator*,
+          _ResourceId,
+          ThreatConfidence,
+          ThreatDescription,
+          ThreatSeverity,
+          Computer,
+          ApplicationProtocol,
+          CollectorHostName,
+          ExtID,
+          Reason,
+          Message,
+          Activity,
+          Infoblox*
+  };
+  parser (
+    starttime                = starttime,
+    endtime                  = endtime,
+    srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
+    srchostname_has_any      = srchostname_has_any,
+    srcusername_has_any      = srcusername_has_any,
+    eventresult              = eventresult,
+    disabled                 = disabled
+  )

Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimDataTester.csv

@@ -0,0 +1,10 @@
+Result
+"(0) Error: 10 invalid value(s) (up to 10 listed) in 94 records (9.4%) for field [SrcFQDN] of type [FQDN]: [""win-r7j2mdoio5c."",""win-gja1jutr15t."",""desktop-neagfkt."",""win-l1e9san4nkk."",""desktop-b8j7ka5."",""win-bmef6ak43fb."",""win-rghei85506n."",""win-9f21ldvoksh."",""win-aa8fe0tq3ri."",""desktop-rkkf54k.""] (Schema:DhcpEvent)"
+"(1) Warning: Empty value in 129 records (12.9%)  in mandatory field [SrcHostname] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in optional field [DhcpLeaseDuration] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in optional field [DhcpSrcDHCId] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in optional field [DvcFQDN] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in recommended field [DvcDomain] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in recommended field [DvcHostname] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in recommended field [SrcDomain] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 906 records (90.6%)  in optional field [SrcFQDN] (Schema:DhcpEvent)"

Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv

@@ -0,0 +1,72 @@
+Result
+"(1) Warning: Missing recommended field [Dst]"
+"(1) Warning: Missing recommended field [DvcAction]"
+"(1) Warning: Missing recommended field [DvcIpAddr]"
+"(1) Warning: Missing recommended field [EventResultDetails]"
+"(1) Warning: Missing recommended field [Src]"
+"(2) Info: Missing optional alias [Hostname] aliasing non-existent column [DstHostname]"
+"(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]"
+"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DhcpSessionId]"
+"(2) Info: Missing optional alias [Username] aliasing non-existent column [SrcUsername]"
+"(2) Info: Missing optional field [DhcpCircuitId]"
+"(2) Info: Missing optional field [DhcpSessionDuration]"
+"(2) Info: Missing optional field [DhcpSessionId]"
+"(2) Info: Missing optional field [DhcpSubscriberId]"
+"(2) Info: Missing optional field [DhcpUserClassId]"
+"(2) Info: Missing optional field [DhcpUserClass]"
+"(2) Info: Missing optional field [DhcpVendorClassId]"
+"(2) Info: Missing optional field [DhcpVendorClass]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcId]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOriginalAction]"
+"(2) Info: Missing optional field [DvcOsVersion]"
+"(2) Info: Missing optional field [DvcOs]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcScope]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventMessage]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventOriginalType]"
+"(2) Info: Missing optional field [EventOriginalUid]"
+"(2) Info: Missing optional field [EventOwner]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [RequestedIpAddr]"
+"(2) Info: Missing optional field [RuleName]"
+"(2) Info: Missing optional field [RuleNumber]"
+"(2) Info: Missing optional field [SrcDescription]"
+"(2) Info: Missing optional field [SrcDeviceType]"
+"(2) Info: Missing optional field [SrcDvcId]"
+"(2) Info: Missing optional field [SrcDvcScopeId]"
+"(2) Info: Missing optional field [SrcDvcScope]"
+"(2) Info: Missing optional field [SrcGeoCity]"
+"(2) Info: Missing optional field [SrcGeoCountry]"
+"(2) Info: Missing optional field [SrcGeoLatitude]"
+"(2) Info: Missing optional field [SrcGeoLongitude]"
+"(2) Info: Missing optional field [SrcGeoRegion]"
+"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
+"(2) Info: Missing optional field [SrcOriginalUserType]"
+"(2) Info: Missing optional field [SrcPortNumber]"
+"(2) Info: Missing optional field [SrcRiskLevel]"
+"(2) Info: Missing optional field [SrcUserId]"
+"(2) Info: Missing optional field [SrcUserScopeId]"
+"(2) Info: Missing optional field [SrcUserScope]"
+"(2) Info: Missing optional field [SrcUserSessionId]"
+"(2) Info: Missing optional field [SrcUserType]"
+"(2) Info: Missing optional field [SrcUserUid]"
+"(2) Info: Missing optional field [SrcUsername]"
+"(2) Info: Missing optional field [ThreatCategory]"
+"(2) Info: Missing optional field [ThreatConfidence]"
+"(2) Info: Missing optional field [ThreatField]"
+"(2) Info: Missing optional field [ThreatFirstReportedTime]"
+"(2) Info: Missing optional field [ThreatId]"
+"(2) Info: Missing optional field [ThreatIsActive]"
+"(2) Info: Missing optional field [ThreatLastReportedTime]"
+"(2) Info: Missing optional field [ThreatName]"
+"(2) Info: Missing optional field [ThreatOriginalConfidence]"
+"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
+"(2) Info: Missing optional field [ThreatRiskLevel]"

Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimDataTester.csv

@@ -0,0 +1,10 @@
+Result
+"(0) Error: 10 invalid value(s) (up to 10 listed) in 94 records (9.4%) for field [SrcFQDN] of type [FQDN]: [""win-r7j2mdoio5c."",""win-gja1jutr15t."",""desktop-neagfkt."",""win-l1e9san4nkk."",""desktop-b8j7ka5."",""win-bmef6ak43fb."",""win-rghei85506n."",""win-9f21ldvoksh."",""win-aa8fe0tq3ri."",""desktop-rkkf54k.""] (Schema:DhcpEvent)"
+"(1) Warning: Empty value in 129 records (12.9%)  in mandatory field [SrcHostname] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in optional field [DhcpLeaseDuration] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in optional field [DhcpSrcDHCId] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in optional field [DvcFQDN] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in recommended field [DvcDomain] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in recommended field [DvcHostname] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 1000 records (100.0%)  in recommended field [SrcDomain] (Schema:DhcpEvent)"
+"(2) Info: Empty value in 906 records (90.6%)  in optional field [SrcFQDN] (Schema:DhcpEvent)"

Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv

@@ -0,0 +1,72 @@
+Result
+"(1) Warning: Missing recommended field [Dst]"
+"(1) Warning: Missing recommended field [DvcAction]"
+"(1) Warning: Missing recommended field [DvcIpAddr]"
+"(1) Warning: Missing recommended field [EventResultDetails]"
+"(1) Warning: Missing recommended field [Src]"
+"(2) Info: Missing optional alias [Hostname] aliasing non-existent column [DstHostname]"
+"(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]"
+"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DhcpSessionId]"
+"(2) Info: Missing optional alias [Username] aliasing non-existent column [SrcUsername]"
+"(2) Info: Missing optional field [DhcpCircuitId]"
+"(2) Info: Missing optional field [DhcpSessionDuration]"
+"(2) Info: Missing optional field [DhcpSessionId]"
+"(2) Info: Missing optional field [DhcpSubscriberId]"
+"(2) Info: Missing optional field [DhcpUserClassId]"
+"(2) Info: Missing optional field [DhcpUserClass]"
+"(2) Info: Missing optional field [DhcpVendorClassId]"
+"(2) Info: Missing optional field [DhcpVendorClass]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcId]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOriginalAction]"
+"(2) Info: Missing optional field [DvcOsVersion]"
+"(2) Info: Missing optional field [DvcOs]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcScope]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventMessage]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventOriginalType]"
+"(2) Info: Missing optional field [EventOriginalUid]"
+"(2) Info: Missing optional field [EventOwner]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [RequestedIpAddr]"
+"(2) Info: Missing optional field [RuleName]"
+"(2) Info: Missing optional field [RuleNumber]"
+"(2) Info: Missing optional field [SrcDescription]"
+"(2) Info: Missing optional field [SrcDeviceType]"
+"(2) Info: Missing optional field [SrcDvcId]"
+"(2) Info: Missing optional field [SrcDvcScopeId]"
+"(2) Info: Missing optional field [SrcDvcScope]"
+"(2) Info: Missing optional field [SrcGeoCity]"
+"(2) Info: Missing optional field [SrcGeoCountry]"
+"(2) Info: Missing optional field [SrcGeoLatitude]"
+"(2) Info: Missing optional field [SrcGeoLongitude]"
+"(2) Info: Missing optional field [SrcGeoRegion]"
+"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
+"(2) Info: Missing optional field [SrcOriginalUserType]"
+"(2) Info: Missing optional field [SrcPortNumber]"
+"(2) Info: Missing optional field [SrcRiskLevel]"
+"(2) Info: Missing optional field [SrcUserId]"
+"(2) Info: Missing optional field [SrcUserScopeId]"
+"(2) Info: Missing optional field [SrcUserScope]"
+"(2) Info: Missing optional field [SrcUserSessionId]"
+"(2) Info: Missing optional field [SrcUserType]"
+"(2) Info: Missing optional field [SrcUserUid]"
+"(2) Info: Missing optional field [SrcUsername]"
+"(2) Info: Missing optional field [ThreatCategory]"
+"(2) Info: Missing optional field [ThreatConfidence]"
+"(2) Info: Missing optional field [ThreatField]"
+"(2) Info: Missing optional field [ThreatFirstReportedTime]"
+"(2) Info: Missing optional field [ThreatId]"
+"(2) Info: Missing optional field [ThreatIsActive]"
+"(2) Info: Missing optional field [ThreatLastReportedTime]"
+"(2) Info: Missing optional field [ThreatName]"
+"(2) Info: Missing optional field [ThreatOriginalConfidence]"
+"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
+"(2) Info: Missing optional field [ThreatRiskLevel]"

Parsers/ASimDns/Parsers/ASimDns.yaml

@@ -32,6 +32,7 @@ Parsers:
   - _ASim_Dns_SentinelOne
   - _ASim_Dns_VectraAI
   - _ASim_Dns_ZscalerZIA
+  - _ASim_Dns_InfobloxBloxOne
 ParserParams:
   - Name: pack
     Type: bool
@@ -54,4 +55,5 @@ ParserQuery: |
     ASimDnsNative            (imDnsBuiltInDisabled or ('ExcludeASimDnsNative'             in (DisabledParsers) )),
     ASimDnsSentinelOne       (imDnsBuiltInDisabled or ('ExcludeASimDnsSentinelOne'        in (DisabledParsers) )),
     ASimDnsVectraAI          (imDnsBuiltInDisabled or ('ExcludeASimDnsVectraAI'           in (DisabledParsers) )),
-    ASimDnsZscalerZIA        (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA'         in (DisabledParsers) ))
+    ASimDnsZscalerZIA        (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA'         in (DisabledParsers) )),
+    ASimDnsInfobloxBloxOne        (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxBloxOne'         in (DisabledParsers) ))

Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml

@@ -0,0 +1,229 @@
+Parser:
+  Title: Dns ASIM parser for Infoblox BloxOne
+  Version: '0.1.0'
+  LastUpdated: Sep 11, 2024
+Product:
+  Name: Infoblox BloxOne
+Normalization:
+  Schema: Dns
+  Version: '0.1.7'
+References:
+- Title: ASIM Dns Schema
+  Link: https://aka.ms/ASimDnsDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: Infoblox BloxOne Documentation
+  Link: https://docs.infoblox.com/space/BloxOneThreatDefense
+Description: |
+  This ASIM parser supports normalizing Dns logs from Infoblox BloxOne to the ASIM Dns normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne.
+ParserName: ASimDnsInfobloxBloxOne
+EquivalentBuiltInParser: _ASim_Dns_InfobloxBloxOne
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: 
+  let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string)
+    [
+      "0", "Low",
+      "1", "Low",
+      "2", "Low",
+      "3", "Low",
+      "4", "Medium",
+      "5", "Medium",
+      "6", "Medium",
+      "7", "High",
+      "8", "High",
+      "9", "High",
+      "10", "High"
+  ];
+  let DnsQueryTypeLookup = datatable(DnsQueryTypeName:string, DnsQueryType:int)
+      [
+      "A", 1,
+      "NS", 2,
+      "MD", 3,
+      "MF", 4,
+      "CNAME", 5,
+      "SOA", 6,
+      "MB", 7,
+      "MG", 8,
+      "MR", 9,
+      "NULL", 10,
+      "WKS", 11,
+      "PTR", 12,
+      "HINFO", 13,
+      "MINFO", 14,
+      "MX", 15,
+      "TXT", 16,
+      "RP", 17,
+      "AFSDB", 18,
+      "X25", 19,
+      "ISDN", 20,          
+      "RT", 21, 
+      "NSAP", 22,          
+      "NSAPPTR", 23,       
+      "SIG", 24,           
+      "KEY", 25,          
+      "PX", 26,            
+      "GPOS", 27,          
+      "AAAA", 28,          
+      "LOC", 29,           
+      "NXT", 30,           
+      "EID", 31,           
+      "NIMLOC", 32,        
+      "SRV", 33,           
+      "ATMA", 34,          
+      "NAPTR", 35,         
+      "KX", 36,            
+      "CERT", 37,          
+      "A6", 38,            
+      "DNAME", 39,         
+      "SINK", 40,          
+      "OPT", 41,           
+      "APL", 42,           
+      "DS", 43,            
+      "SSHFP", 44,         
+      "IPSECKEY", 45,      
+      "RRSIG", 46,         
+      "NSEC", 47,          
+      "DNSKEY", 48,        
+      "DHCID", 49,         
+      "NSEC3", 50,         
+      "NSEC3PARAM", 51,    
+      "TLSA", 52,          
+      "SMIMEA", 53,        
+      "HIP", 55,           
+      "NINFO", 56,         
+      "RKEY", 57,          
+      "TALINK", 58,        
+      "CDS", 59,           
+      "CDNSKEY", 60,       
+      "OPENPGPKEY", 61,    
+      "CSYNC", 62,         
+      "ZONEMD", 63,        
+      "SVCB", 64,          
+      "HTTPS", 65,         
+      "SPF", 99,           
+      "UINFO", 100,        
+      "UID", 101,          
+      "GID", 102,          
+      "UNSPEC", 103,       
+      "TKEY", 249,         
+      "TSIG", 250,         
+      "IXFR", 251,        
+      "MAILB", 253,        
+      "MAILA", 254,        
+      "ANY", 255,            
+      "URI", 256,          
+      "CAA", 257,          
+      "TA", 32768,         
+      "DLV", 32769         
+  ];
+  let DnsResponseCodeLookup = datatable(EventResultDetails:string, DnsResponseCode:int)
+      [
+      "NOERROR", 0,        
+      "FORMERR", 1,        
+      "SERVFAIL", 2,       
+      "NXDOMAIN", 3,       
+      "NOTIMPL", 4,        
+      "REFUSED", 5,        
+      "YXDOMAIN", 6,       
+      "YXRRSET", 7,        
+      "NXRRSET", 8,        
+      "NOTAUTH", 9,        
+      "NOTZONE", 10,       
+      "DSOTYPENI", 11,     
+      "RESERVED12", 12,
+      "RESERVED13", 13,
+      "RESERVED14", 14,
+      "RESERVED15", 15,
+      "BADVERS", 16,       
+      "BADKEY", 17,        
+      "BADTIME", 18,       
+      "BADMODE", 19,       
+      "BADNAME", 20,       
+      "BADALG", 21,        
+      "BADTRUNC", 22,      
+      "BADCOOKIE", 23,     
+      ];
+  let parser = (disabled:bool=false) {
+      CommonSecurityLog
+      | where not(disabled) and DeviceVendor == "Infoblox" and DeviceEventClassID has "DNS"
+      | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string, InfobloxDNSQFlags:string) with (pair_delimiter=";", kv_delimiter="=")
+      | project-rename 
+          EventResultDetails = InfobloxDNSRCode,
+          DnsQueryTypeName = InfobloxDNSQType,
+          DnsFlags = InfobloxDNSQFlags
+      | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0])
+      | lookup EventSeverityLookup on LogSeverity
+      | lookup DnsQueryTypeLookup on DnsQueryTypeName
+      | lookup DnsResponseCodeLookup on EventResultDetails
+      | invoke _ASIM_ResolveDvcFQDN('DeviceName')
+      | project-rename 
+          DnsQuery = DestinationDnsDomain,
+          DvcIpAddr = DeviceAddress,
+          SrcIpAddr = SourceIP,
+          EventMessage = Message,
+          EventOriginalSeverity = LogSeverity,
+          EventOriginalType = DeviceEventClassID,
+          SrcUsername = SourceUserName,
+          SrcPortNumber = SourcePort,
+          EventUid = _ItemId
+      | extend
+          Dvc = coalesce(DvcHostname, DvcIpAddr),
+          EventEndTime = TimeGenerated,
+          EventResult = iff(EventResultDetails == "NOERROR", "Success", "Failure"),
+          DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == ".", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery),
+          EventStartTime = TimeGenerated,
+          Src = SrcIpAddr,
+          SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),
+          DnsResponseCodeName = EventResultDetails,
+          IpAddr = SrcIpAddr,
+          User = SrcUsername
+      | extend Domain = DnsQuery
+      | extend
+          EventCount = toint(1),
+          EventSchema = "Dns",
+          EventSchemaVersion = "0.1.7",
+          EventProduct = "BloxOne",
+          EventVendor = "Infoblox",
+          EventType = "Query",
+          DnsQueryClass = toint(1),
+          DnsQueryClassName = "IN"
+      | project-away
+          Source*,
+          Destination*,
+          Device*,
+          AdditionalExtensions,
+          CommunicationDirection,
+          EventOutcome,
+          Protocol,
+          SimplifiedDeviceAction,
+          ExternalID,
+          EndTime,
+          FieldDevice*,
+          Flex*,
+          File*,
+          Old*,
+          MaliciousIP*,
+          OriginalLogSeverity,
+          Process*,
+          ReceivedBytes,
+          SentBytes,
+          Remote*,
+          Request*,
+          StartTime,
+          TenantId,
+          ReportReferenceLink,
+          ReceiptTime,
+          Indicator*,
+          _ResourceId,
+          ThreatConfidence,
+          ThreatDescription,
+          ThreatSeverity,
+          Computer,
+          ApplicationProtocol,
+          ExtID,
+          Reason
+      };
+      parser(disabled=disabled)

Parsers/ASimDns/Parsers/imDns.yaml

@@ -62,7 +62,8 @@ ParserQuery: |
     vimDnsNative            ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsNative'              in (DisabledParsers) ))),
     vimDnsSentinelOne       ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsSentinelOne'         in (DisabledParsers) ))),
     vimDnsVectraAI          ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsVectraAI'            in (DisabledParsers) ))),
-    vimDnsZscalerZIA        ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA'          in (DisabledParsers) )))
+    vimDnsZscalerZIA        ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA'          in (DisabledParsers) ))),
+    vimDnsInfobloxBloxOne        ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsInfobloxBloxOne'          in (DisabledParsers) )))
     };
   Generic( starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, pack=pack)
 EquivalentBuiltInParser: _Im_Dns
@@ -82,3 +83,4 @@ Parsers:
   - _Im_Dns_SentinelOne
   - _Im_Dns_VectraAI
   - _Im_Dns_ZscalerZIA
+  - _Im_Dns_InfobloxBloxOne

Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml

@@ -0,0 +1,285 @@
+Parser:
+  Title: Dns ASIM parser for Infoblox BloxOne
+  Version: '0.1.0'
+  LastUpdated: Sep 11, 2024
+Product:
+  Name: Infoblox BloxOne
+Normalization:
+  Schema: Dns
+  Version: '0.1.7'
+References:
+- Title: ASIM Dns Schema
+  Link: https://aka.ms/ASimDnsDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: Infoblox BloxOne Documentation
+  Link: https://docs.infoblox.com/space/BloxOneThreatDefense
+Description: |
+  This ASIM parser supports normalizing Dns logs from Infoblox BloxOne to the ASIM Dns normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne.
+ParserName: vimDnsInfobloxBloxOne
+EquivalentBuiltInParser: _Im_Dns_InfobloxBloxOne
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: srcipaddr
+    Type: string
+    Default: '*'
+  - Name: domain_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: responsecodename
+    Type: string
+    Default: '*'
+  - Name: response_has_ipv4
+    Type: string
+    Default: '*'
+  - Name: response_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventtype
+    Type: string
+    Default: 'Query'
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string)
+    [
+      "0", "Low",
+      "1", "Low",
+      "2", "Low",
+      "3", "Low",
+      "4", "Medium",
+      "5", "Medium",
+      "6", "Medium",
+      "7", "High",
+      "8", "High",
+      "9", "High",
+      "10", "High"
+  ];
+  let DnsQueryTypeLookup = datatable(DnsQueryTypeName:string, DnsQueryType:int)
+      [
+      "A", 1,
+      "NS", 2,
+      "MD", 3,
+      "MF", 4,
+      "CNAME", 5,
+      "SOA", 6,
+      "MB", 7,
+      "MG", 8,
+      "MR", 9,
+      "NULL", 10,
+      "WKS", 11,
+      "PTR", 12,
+      "HINFO", 13,
+      "MINFO", 14,
+      "MX", 15,
+      "TXT", 16,
+      "RP", 17,
+      "AFSDB", 18,
+      "X25", 19,
+      "ISDN", 20,          
+      "RT", 21, 
+      "NSAP", 22,          
+      "NSAPPTR", 23,       
+      "SIG", 24,           
+      "KEY", 25,          
+      "PX", 26,            
+      "GPOS", 27,          
+      "AAAA", 28,          
+      "LOC", 29,           
+      "NXT", 30,           
+      "EID", 31,           
+      "NIMLOC", 32,        
+      "SRV", 33,           
+      "ATMA", 34,          
+      "NAPTR", 35,         
+      "KX", 36,            
+      "CERT", 37,          
+      "A6", 38,            
+      "DNAME", 39,         
+      "SINK", 40,          
+      "OPT", 41,           
+      "APL", 42,           
+      "DS", 43,            
+      "SSHFP", 44,         
+      "IPSECKEY", 45,      
+      "RRSIG", 46,         
+      "NSEC", 47,          
+      "DNSKEY", 48,        
+      "DHCID", 49,         
+      "NSEC3", 50,         
+      "NSEC3PARAM", 51,    
+      "TLSA", 52,          
+      "SMIMEA", 53,        
+      "HIP", 55,           
+      "NINFO", 56,         
+      "RKEY", 57,          
+      "TALINK", 58,        
+      "CDS", 59,           
+      "CDNSKEY", 60,       
+      "OPENPGPKEY", 61,    
+      "CSYNC", 62,         
+      "ZONEMD", 63,        
+      "SVCB", 64,          
+      "HTTPS", 65,         
+      "SPF", 99,           
+      "UINFO", 100,        
+      "UID", 101,          
+      "GID", 102,          
+      "UNSPEC", 103,       
+      "TKEY", 249,         
+      "TSIG", 250,         
+      "IXFR", 251,        
+      "MAILB", 253,        
+      "MAILA", 254,        
+      "ANY", 255,            
+      "URI", 256,          
+      "CAA", 257,          
+      "TA", 32768,         
+      "DLV", 32769         
+  ];
+  let DnsResponseCodeLookup = datatable(EventResultDetails:string, DnsResponseCode:int)
+      [
+      "NOERROR", 0,        
+      "FORMERR", 1,        
+      "SERVFAIL", 2,       
+      "NXDOMAIN", 3,       
+      "NOTIMPL", 4,        
+      "REFUSED", 5,        
+      "YXDOMAIN", 6,       
+      "YXRRSET", 7,        
+      "NXRRSET", 8,        
+      "NOTAUTH", 9,        
+      "NOTZONE", 10,       
+      "DSOTYPENI", 11,     
+      "RESERVED12", 12,
+      "RESERVED13", 13,
+      "RESERVED14", 14,
+      "RESERVED15", 15,
+      "BADVERS", 16,       
+      "BADKEY", 17,        
+      "BADTIME", 18,       
+      "BADMODE", 19,       
+      "BADNAME", 20,       
+      "BADALG", 21,        
+      "BADTRUNC", 22,      
+      "BADCOOKIE", 23,     
+      ];
+  let parser = (
+      starttime: datetime=datetime(null),
+      endtime: datetime=datetime(null),
+      srcipaddr: string='*', 
+      domain_has_any: dynamic=dynamic([]),
+      responsecodename: string='*',
+      response_has_ipv4: string='*',
+      response_has_any_prefix: dynamic=dynamic([]),
+      eventtype: string='Query',
+      disabled: bool=false
+      ) {
+      CommonSecurityLog
+      | where not(disabled)
+            and (eventtype == '*' or eventtype == "Query")
+            and (isnull(starttime) or TimeGenerated >= starttime)
+            and (isnull(endtime) or TimeGenerated <= endtime)
+            and DeviceVendor == "Infoblox" 
+            and DeviceEventClassID has "DNS"
+            and (srcipaddr=="*" or has_ipv4(SourceIP, srcipaddr))
+            and response_has_ipv4 == '*'
+            and array_length(response_has_any_prefix) == 0
+      | project-rename 
+        DnsQuery = DestinationDnsDomain
+      | extend
+        DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == ".", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery)
+      | where array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any)
+      | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string, InfobloxDNSQFlags:string) with (pair_delimiter=";", kv_delimiter="=")
+      | where responsecodename == '*' or (InfobloxDNSRCode =~ responsecodename)
+      | project-rename 
+          EventResultDetails = InfobloxDNSRCode,
+          DnsQueryTypeName = InfobloxDNSQType,
+          DnsFlags = InfobloxDNSQFlags
+      | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0])
+      | lookup EventSeverityLookup on LogSeverity
+      | lookup DnsQueryTypeLookup on DnsQueryTypeName
+      | lookup DnsResponseCodeLookup on EventResultDetails
+      | invoke _ASIM_ResolveDvcFQDN('DeviceName')
+      | project-rename 
+          DvcIpAddr = DeviceAddress,
+          SrcIpAddr = SourceIP,
+          EventMessage = Message,
+          EventOriginalSeverity = LogSeverity,
+          EventOriginalType = DeviceEventClassID,
+          SrcUsername = SourceUserName,
+          SrcPortNumber = SourcePort,
+          EventUid = _ItemId
+      | extend
+          Dvc = coalesce(DvcHostname, DvcIpAddr),
+          EventEndTime = TimeGenerated,
+          EventResult = iff(EventResultDetails == "NOERROR", "Success", "Failure"),
+          EventStartTime = TimeGenerated,
+          Src = SrcIpAddr,
+          SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),
+          DnsResponseCodeName = EventResultDetails,
+          IpAddr = SrcIpAddr,
+          User = SrcUsername
+      | extend Domain = DnsQuery
+      | extend
+          EventCount = toint(1),
+          EventSchema = "Dns",
+          EventSchemaVersion = "0.1.7",
+          EventProduct = "BloxOne",
+          EventVendor = "Infoblox",
+          EventType = "Query",
+          DnsQueryClass = toint(1),
+          DnsQueryClassName = "IN"
+      | project-away
+          Source*,
+          Destination*,
+          Device*,
+          AdditionalExtensions,
+          CommunicationDirection,
+          EventOutcome,
+          Protocol,
+          SimplifiedDeviceAction,
+          ExternalID,
+          EndTime,
+          FieldDevice*,
+          Flex*,
+          File*,
+          Old*,
+          MaliciousIP*,
+          OriginalLogSeverity,
+          Process*,
+          ReceivedBytes,
+          SentBytes,
+          Remote*,
+          Request*,
+          StartTime,
+          TenantId,
+          ReportReferenceLink,
+          ReceiptTime,
+          Indicator*,
+          _ResourceId,
+          ThreatConfidence,
+          ThreatDescription,
+          ThreatSeverity,
+          Computer,
+          ApplicationProtocol,
+          ExtID,
+          Reason
+  };
+  parser(
+      starttime=starttime,
+      endtime=endtime,
+      srcipaddr=srcipaddr,
+      domain_has_any=domain_has_any,
+      responsecodename=responsecodename, 
+      response_has_ipv4=response_has_ipv4, 
+      response_has_any_prefix=response_has_any_prefix, 
+      eventtype=eventtype, 
+      disabled=disabled
+  )

Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimDataTester.csv

@@ -0,0 +1,5 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [DvcDomain] of type [Domain]: [""178.234.205""] (Schema:Dns)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [DvcFQDN] of type [FQDN]: [""107.178.234.205""] (Schema:Dns)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [EventProduct] of type [Enumerated]: [""BloxOne""] (Schema:Dns)"
+"(2) Info: Empty value in 1000 records (100.0%)  in optional field [SrcUsername] (Schema:Dns)"

Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv

@@ -0,0 +1,108 @@
+Result
+"(1) Warning: Missing recommended field [Dst]"
+"(1) Warning: Missing recommended field [SrcDomain]"
+"(1) Warning: Missing recommended field [SrcHostname]"
+"(1) Warning: Missing recommended field [TransactionIdHex]"
+"(2) Info: Missing optional alias [DomainCategory] aliasing non-existent column [UrlCategory]"
+"(2) Info: Missing optional alias [Duration] aliasing non-existent column [DnsNetworkDuration]"
+"(2) Info: Missing optional alias [Process] aliasing non-existent column [SrcProcessName]"
+"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DnsSessionId]"
+"(2) Info: Missing optional field [AdditionalFields]"
+"(2) Info: Missing optional field [DnsFlagsAuthenticated]"
+"(2) Info: Missing optional field [DnsFlagsAuthoritative]"
+"(2) Info: Missing optional field [DnsFlagsCheckingDisabled]"
+"(2) Info: Missing optional field [DnsFlagsRecursionAvailable]"
+"(2) Info: Missing optional field [DnsFlagsRecursionDesired]"
+"(2) Info: Missing optional field [DnsFlagsTruncated]"
+"(2) Info: Missing optional field [DnsFlagsZ]"
+"(2) Info: Missing optional field [DnsNetworkDuration]"
+"(2) Info: Missing optional field [DnsResponseIpCity]"
+"(2) Info: Missing optional field [DnsResponseIpCountry]"
+"(2) Info: Missing optional field [DnsResponseIpLatitude]"
+"(2) Info: Missing optional field [DnsResponseIpLongitude]"
+"(2) Info: Missing optional field [DnsResponseIpRegion]"
+"(2) Info: Missing optional field [DnsResponseName]"
+"(2) Info: Missing optional field [DnsSessionId]"
+"(2) Info: Missing optional field [DstDescription]"
+"(2) Info: Missing optional field [DstDeviceType]"
+"(2) Info: Missing optional field [DstDomain]"
+"(2) Info: Missing optional field [DstDvcId]"
+"(2) Info: Missing optional field [DstDvcScopeId]"
+"(2) Info: Missing optional field [DstDvcScope]"
+"(2) Info: Missing optional field [DstFQDN]"
+"(2) Info: Missing optional field [DstGeoCity]"
+"(2) Info: Missing optional field [DstGeoCountry]"
+"(2) Info: Missing optional field [DstGeoLatitude]"
+"(2) Info: Missing optional field [DstGeoLongitude]"
+"(2) Info: Missing optional field [DstGeoRegion]"
+"(2) Info: Missing optional field [DstHostname]"
+"(2) Info: Missing optional field [DstIpAddr]"
+"(2) Info: Missing optional field [DstOriginalRiskLevel]"
+"(2) Info: Missing optional field [DstPortNumber]"
+"(2) Info: Missing optional field [DstRiskLevel]"
+"(2) Info: Missing optional field [DvcAction]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcId]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOriginalAction]"
+"(2) Info: Missing optional field [DvcOsVersion]"
+"(2) Info: Missing optional field [DvcOs]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcScope]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventOriginalUid]"
+"(2) Info: Missing optional field [EventOwner]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [NetworkProtocolVersion]"
+"(2) Info: Missing optional field [NetworkProtocol]"
+"(2) Info: Missing optional field [RuleName]"
+"(2) Info: Missing optional field [RuleNumber]"
+"(2) Info: Missing optional field [Rule]"
+"(2) Info: Missing optional field [SrcDescription]"
+"(2) Info: Missing optional field [SrcDeviceType]"
+"(2) Info: Missing optional field [SrcDvcId]"
+"(2) Info: Missing optional field [SrcDvcScopeId]"
+"(2) Info: Missing optional field [SrcDvcScope]"
+"(2) Info: Missing optional field [SrcFQDN]"
+"(2) Info: Missing optional field [SrcGeoCity]"
+"(2) Info: Missing optional field [SrcGeoCountry]"
+"(2) Info: Missing optional field [SrcGeoLatitude]"
+"(2) Info: Missing optional field [SrcGeoLongitude]"
+"(2) Info: Missing optional field [SrcGeoRegion]"
+"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
+"(2) Info: Missing optional field [SrcOriginalUserType]"
+"(2) Info: Missing optional field [SrcPortNumber]"
+"(2) Info: Missing optional field [SrcProcessGuid]"
+"(2) Info: Missing optional field [SrcProcessId]"
+"(2) Info: Missing optional field [SrcProcessName]"
+"(2) Info: Missing optional field [SrcRiskLevel]"
+"(2) Info: Missing optional field [SrcUserAWSId]"
+"(2) Info: Missing optional field [SrcUserAadId]"
+"(2) Info: Missing optional field [SrcUserId]"
+"(2) Info: Missing optional field [SrcUserOktaId]"
+"(2) Info: Missing optional field [SrcUserScopeId]"
+"(2) Info: Missing optional field [SrcUserScope]"
+"(2) Info: Missing optional field [SrcUserSessionId]"
+"(2) Info: Missing optional field [SrcUserSid]"
+"(2) Info: Missing optional field [SrcUserType]"
+"(2) Info: Missing optional field [SrcUserUid]"
+"(2) Info: Missing optional field [TenantId]"
+"(2) Info: Missing optional field [ThreatCategory]"
+"(2) Info: Missing optional field [ThreatConfidence]"
+"(2) Info: Missing optional field [ThreatField]"
+"(2) Info: Missing optional field [ThreatFirstReportedTime]"
+"(2) Info: Missing optional field [ThreatId]"
+"(2) Info: Missing optional field [ThreatIpAddr]"
+"(2) Info: Missing optional field [ThreatIsActive]"
+"(2) Info: Missing optional field [ThreatLastReportedTime]"
+"(2) Info: Missing optional field [ThreatName]"
+"(2) Info: Missing optional field [ThreatOriginalConfidence]"
+"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
+"(2) Info: Missing optional field [ThreatRiskLevel]"
+"(2) Info: Missing optional field [UrlCategory]"
+"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [SrcHostname]"

Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimDataTester.csv

@@ -0,0 +1,5 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [DvcDomain] of type [Domain]: [""178.234.205""] (Schema:Dns)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [DvcFQDN] of type [FQDN]: [""107.178.234.205""] (Schema:Dns)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [EventProduct] of type [Enumerated]: [""BloxOne""] (Schema:Dns)"
+"(2) Info: Empty value in 1000 records (100.0%)  in optional field [SrcUsername] (Schema:Dns)"

Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv

@@ -0,0 +1,108 @@
+Result
+"(1) Warning: Missing recommended field [Dst]"
+"(1) Warning: Missing recommended field [SrcDomain]"
+"(1) Warning: Missing recommended field [SrcHostname]"
+"(1) Warning: Missing recommended field [TransactionIdHex]"
+"(2) Info: Missing optional alias [DomainCategory] aliasing non-existent column [UrlCategory]"
+"(2) Info: Missing optional alias [Duration] aliasing non-existent column [DnsNetworkDuration]"
+"(2) Info: Missing optional alias [Process] aliasing non-existent column [SrcProcessName]"
+"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DnsSessionId]"
+"(2) Info: Missing optional field [AdditionalFields]"
+"(2) Info: Missing optional field [DnsFlagsAuthenticated]"
+"(2) Info: Missing optional field [DnsFlagsAuthoritative]"
+"(2) Info: Missing optional field [DnsFlagsCheckingDisabled]"
+"(2) Info: Missing optional field [DnsFlagsRecursionAvailable]"
+"(2) Info: Missing optional field [DnsFlagsRecursionDesired]"
+"(2) Info: Missing optional field [DnsFlagsTruncated]"
+"(2) Info: Missing optional field [DnsFlagsZ]"
+"(2) Info: Missing optional field [DnsNetworkDuration]"
+"(2) Info: Missing optional field [DnsResponseIpCity]"
+"(2) Info: Missing optional field [DnsResponseIpCountry]"
+"(2) Info: Missing optional field [DnsResponseIpLatitude]"
+"(2) Info: Missing optional field [DnsResponseIpLongitude]"
+"(2) Info: Missing optional field [DnsResponseIpRegion]"
+"(2) Info: Missing optional field [DnsResponseName]"
+"(2) Info: Missing optional field [DnsSessionId]"
+"(2) Info: Missing optional field [DstDescription]"
+"(2) Info: Missing optional field [DstDeviceType]"
+"(2) Info: Missing optional field [DstDomain]"
+"(2) Info: Missing optional field [DstDvcId]"
+"(2) Info: Missing optional field [DstDvcScopeId]"
+"(2) Info: Missing optional field [DstDvcScope]"
+"(2) Info: Missing optional field [DstFQDN]"
+"(2) Info: Missing optional field [DstGeoCity]"
+"(2) Info: Missing optional field [DstGeoCountry]"
+"(2) Info: Missing optional field [DstGeoLatitude]"
+"(2) Info: Missing optional field [DstGeoLongitude]"
+"(2) Info: Missing optional field [DstGeoRegion]"
+"(2) Info: Missing optional field [DstHostname]"
+"(2) Info: Missing optional field [DstIpAddr]"
+"(2) Info: Missing optional field [DstOriginalRiskLevel]"
+"(2) Info: Missing optional field [DstPortNumber]"
+"(2) Info: Missing optional field [DstRiskLevel]"
+"(2) Info: Missing optional field [DvcAction]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcId]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOriginalAction]"
+"(2) Info: Missing optional field [DvcOsVersion]"
+"(2) Info: Missing optional field [DvcOs]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcScope]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventOriginalUid]"
+"(2) Info: Missing optional field [EventOwner]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [NetworkProtocolVersion]"
+"(2) Info: Missing optional field [NetworkProtocol]"
+"(2) Info: Missing optional field [RuleName]"
+"(2) Info: Missing optional field [RuleNumber]"
+"(2) Info: Missing optional field [Rule]"
+"(2) Info: Missing optional field [SrcDescription]"
+"(2) Info: Missing optional field [SrcDeviceType]"
+"(2) Info: Missing optional field [SrcDvcId]"
+"(2) Info: Missing optional field [SrcDvcScopeId]"
+"(2) Info: Missing optional field [SrcDvcScope]"
+"(2) Info: Missing optional field [SrcFQDN]"
+"(2) Info: Missing optional field [SrcGeoCity]"
+"(2) Info: Missing optional field [SrcGeoCountry]"
+"(2) Info: Missing optional field [SrcGeoLatitude]"
+"(2) Info: Missing optional field [SrcGeoLongitude]"
+"(2) Info: Missing optional field [SrcGeoRegion]"
+"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
+"(2) Info: Missing optional field [SrcOriginalUserType]"
+"(2) Info: Missing optional field [SrcPortNumber]"
+"(2) Info: Missing optional field [SrcProcessGuid]"
+"(2) Info: Missing optional field [SrcProcessId]"
+"(2) Info: Missing optional field [SrcProcessName]"
+"(2) Info: Missing optional field [SrcRiskLevel]"
+"(2) Info: Missing optional field [SrcUserAWSId]"
+"(2) Info: Missing optional field [SrcUserAadId]"
+"(2) Info: Missing optional field [SrcUserId]"
+"(2) Info: Missing optional field [SrcUserOktaId]"
+"(2) Info: Missing optional field [SrcUserScopeId]"
+"(2) Info: Missing optional field [SrcUserScope]"
+"(2) Info: Missing optional field [SrcUserSessionId]"
+"(2) Info: Missing optional field [SrcUserSid]"
+"(2) Info: Missing optional field [SrcUserType]"
+"(2) Info: Missing optional field [SrcUserUid]"
+"(2) Info: Missing optional field [TenantId]"
+"(2) Info: Missing optional field [ThreatCategory]"
+"(2) Info: Missing optional field [ThreatConfidence]"
+"(2) Info: Missing optional field [ThreatField]"
+"(2) Info: Missing optional field [ThreatFirstReportedTime]"
+"(2) Info: Missing optional field [ThreatId]"
+"(2) Info: Missing optional field [ThreatIpAddr]"
+"(2) Info: Missing optional field [ThreatIsActive]"
+"(2) Info: Missing optional field [ThreatLastReportedTime]"
+"(2) Info: Missing optional field [ThreatName]"
+"(2) Info: Missing optional field [ThreatOriginalConfidence]"
+"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
+"(2) Info: Missing optional field [ThreatRiskLevel]"
+"(2) Info: Missing optional field [UrlCategory]"
+"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [SrcHostname]"

Sample Data/ASIM/Infoblox_BloxOne_DhcpEvent_IngestedLogs.csv

@@ -0,0 +1,21 @@
+TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,_ResourceId
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:38:01 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=1a4c3958-2cde-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='armisappliance8153';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,armisappliance8153,00:50:56:92:0f:021,,,,,,,,,,1.1.1.1,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:41:07 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b8:bb:00:01:00:01:2d:fc:56:bb:00:50:56:a7:b8:bb;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=be24ee60-28ba-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\270\273\000\001\000\001-\374V\273\000PV\247\270\273';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:022,,,,,,,,,,1.1.1.1,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:41:27 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:4d:d7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=5cbf171b-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_61='\001\000PV\201M\327';code_81='\000\000\000win-r7j2mdoio5c';code_12='WIN-R7J2MDOIO5C';code_53='\003';code_55='\001\017\003\006,./\037!y\371\374+';code_60='MSFT'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,win-r7j2mdoio5c.,00:50:56:92:0f:023,,,,,,,,,,1.1.1.3,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:43:31 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:09:19:00:01:00:01:2d:fc:51:c5:00:50:56:a7:09:19;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=c7cf675d-28b7-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_61='\377V\247\t\031\000\001\000\001-\374Q\305\000PV\247\t\031';code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:024,,,,,,,,,,1.1.1.4,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:44:03 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b6:07:00:01:00:01:2d:df:57:0a:00:50:56:a7:b6:07;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=ca697503-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\266\007\000\001\000\001-\337W\n\000PV\247\266\007';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:025,,,,,,,,,,1.1.1.4,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:46:10 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:50:52;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=13ba6378-32d6-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_51='\000\000\000<';code_53='\003';code_55='\001\034\002y\003\017\006\014w\032';code_61='\001\000PV\201PR',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,00:50:56:92:0f:026,,,,,,,,,,1.2.1.6,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:47:43 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:63:6d:00:01:00:01:2e:02:c9:c2:00:50:56:a7:63:6d;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=d5782ae0-2c92-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247cm\000\001\000\001.\002\311\302\000PV\247cm';code_12='CE'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:027,,,,,,,,,,1.1.1.7,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:52:21 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:9f:6e:85:24:00:02:00:00:ab:11:6b:cb:20:2b:0f:d1:be:6e;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=b67e515a-2cda-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_53='\003';code_55='\001\003\014\017\006\032!y*';code_57='\002@';code_61='\377\237n\205$\000\002\000\000\253\021k\313';code_12='test',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,test,00:50:56:92:0f:028,,,,,,,,,,1.1.1.8,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:52:37 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=00:63:69:73:63:6f:2d:30:30:35:30:2e:35:36:38:31:2e:62:39:39:62:2d:6f:75:74:73:69:64:65:2d:66:69:72:65:70:6f:77:65:72:00;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=9c38cc9b-2cda-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\006\017,\003!';code_57='\004\200';code_61='\000cisco-0050.5681.b99b-outside-firepower\000';code_12='firepower';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,firepower,00:50:56:92:0f:029,,,,,,,,,,1.1.1.8,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:55:49 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:c3:f2:00:01:00:01:2d:fc:38:18:00:50:56:a7:c3:f2;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=7a8a18bc-28a8-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_61='\377V\247\303\362\000\001\000\001-\3748\030\000PV\247\303\362';code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:030,,,,,,,,,,1.1.1.10,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:01:11 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=5c2fcea3-2cdf-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_53='\003';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,00:50:56:92:0f:031,,,,,,,,,,1.1.1.11,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:02:53 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:a9:8f:00:01:00:01:2e:0d:5c:6e:00:50:56:a7:a9:8f;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=204fa2cc-32e0-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\251\217\000\001\000\001.\r\n\000PV\247\251\217';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:032,,,,,,,,,,1.1.1.11,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:03:23 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:cb:e7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=449cf0dc-2cdc-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_12='GigaVUE-FM-6501';code_53='\003';code_55='\001\002\006\014\017\032\034y\003!()*w\371\374\021';code_57='\377\377';code_61='\001\000PV\201\313\347',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,gigavue-fm-6501,00:50:56:92:0f:033,,,,,,,,,,1.2.1.11,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:04:59 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=abd51188-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=false;InfobloxFingerprint=;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\021';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:034,,,,,,,,,,1.1.1.14,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:04:59 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=;InfobloxRangeStart=;InfobloxRangeEnd=;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=abd51188-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\021';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:035,,,,,,,,,,1.1.1.15,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:05:29 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=bdb72cf3-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=false;InfobloxFingerprint=;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\022';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:036,,,,,,,,,,1.1.1.16,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:05:29 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=;InfobloxRangeStart=;InfobloxRangeEnd=;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=bdb72cf3-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\022';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:037,,,,,,,,,,2.2.1.17,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:06:31 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=1a4c3958-2cde-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_12='armisappliance8153'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,armisappliance8153,00:50:56:92:0f:038,,,,,,,,,,1.1.1.18,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:06:49 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b8:bb:00:01:00:01:2d:fc:56:bb:00:50:56:a7:b8:bb;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=be24ee60-28ba-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\270\273\000\001\000\001-\374V\273\000PV\247\270\273'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:039,,,,,,,,,,2.2.1.19,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:11:27 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:4d:d7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=5cbf171b-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='WIN-R7J2MDOIO5C';code_53='\003';code_55='\001\017\003\006,./\037!y\371\374+';code_60='MSFT';code_61='\001\000PV\201M\327';code_81='\000\000\000win-r7j2mdoio5c'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,win-r7j2mdoio5c.,00:50:56:92:0f:040,,,,,,,,,,1.1.1.20,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406

Sample Data/ASIM/Infoblox_BloxOne_Dns_IngestedLogs.csv

@@ -0,0 +1,21 @@
+TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,_ResourceId
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NOERROR,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NOERROR;InfobloxAnCount=1;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Technology - Other",,DNS,,www.example.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.1,2.2.2.2,,,,,,,,,,,,,,,,"""www.example.com. 291 IN A 93.184.215.14""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Technology - Other",,DNS,,www.example.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.2,2.2.2.3,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A SERVFAIL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=SERVFAIL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Unreachable",,DNS,,ip.parrotdns.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.3,2.2.2.4,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NOERROR,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NOERROR;InfobloxAnCount=1;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Information Security",,DNS,,dnsscan.shadowserver.org,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.4,2.2.2.5,,,,,,,,,,,,,,,,"""dnsscan.shadowserver.org. 7199 IN A 184.105.143.133""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.5,2.2.2.6,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:24 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.6,2.2.2.7,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.2.1.6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:25 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.7,2.2.2.8,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:31 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.8,2.2.2.9,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:33 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.9,2.2.2.10,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:34 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.10,2.2.2.11,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:46 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.11,2.2.2.12,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:54 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.12,2.2.2.13,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:58 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.13,2.2.2.14,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.2.1.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4000.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.14,2.2.2.15,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.15,2.2.2.16,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,ip.parrotdns.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.16,2.2.2.17,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.16,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,www.example.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.17,2.2.2.18,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,2.2.1.17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.18,2.2.2.19,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.19,2.2.2.20,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,2.2.1.19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406
+asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.20,2.2.2.21,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406